Federal Cyber Security Framework Draft Nearly Completed

The herculean task of drafting the nation’s first Cybersecurity Framework which is being developed under the leadership of the National Institute of Standards and Technology (NIST) is all but completed, and publication of the document is on track for February of 2014.

The framework is being developed with the aid of several thousand security experts who have attended workshops or contributed to the draft, prompted by President Obama’s Executive Order issued in February of this year which was intended to spur action to bolster the nation’s cybersecurity stature.

“There are really two major moving parts to the framework. One is a collection of existing standards and practices. You will recognize many of them. The other is a structure, a framework in the true sense of the word, that organizes those practices and provides really a set of tools that support the use and adoption of those standards and practices,” NIST’s director Patrick Gallagher said at the Billington Cybersecurity summit in Washington.

Compliance with the Framework will be voluntary, and the focus will be on several key initiatives, including outlining five facets of cyber defense, issues of cybersecurity maturity, and establishing benchmarks for organizations to judge their cybersecurity readiness.

“It identifies a set of implementation tiers from an early- adopter, low maturity organization that may be very rule-based, to a highly-mature organization that has organized risk management at all levels. It’s analogous to a cultural approach, much like what we’ve seen in safety management and other areas. A key construct here is that there is no threat-proofing. There is no magic bullet. This is not about eliminating the problem, this is about managing it,” Gallagher said.